[strongSwan] IPSec VPN between Cisco ASA and StrongSwan

jm+strongswan at roth.lu jm+strongswan at roth.lu
Mon Apr 27 11:50:14 CEST 2015

>> It seems to me (I found some hints but no real doc) that you have to
>> specify the direction like this:
>>       lefthost righthost : PSK rightpsk
>>       righthost lefthost : PSK leftpsk
> This can work, but I don't think that it must in all cases. The lookup
> function for shared keys takes the two peer identities. Then each
> identity is matched against each configured PSK identity. So the "match
> quality" for the lookup will be the same.
> strongSwan does not really use the concept of "local" or "remote" keys.
> As the name implies, it is a shared key between two entities. Using a
> different PSK for each end is possible in IKEv2, but I don't think that
> there is much benefit from doing so. Each peer has two know each secret
> anyway.

Part of what you mention would have been further questions indeed.
So what is the added benefit of having two PSKs, since IKEv2 explicitly 
allows that compared to IKEv1?

Since IPSec SAs are undirectional in nature, maybe using two PSKs uses a 
different PSK in each direction?
In any case, it must be possible to correctly and unambiguously 
configure that in strongswan, is it not?

Best regards,


More information about the Users mailing list